Improving Examination Results - May 2007

May 2007

NASD issues this annual publication to assist member firms in their compliance efforts. As in prior years, this document has two sections: "Examination Priorities" and "Frequently Found Violations." While every firm must establish its own compliance programs and supervisory procedures, members have commented that it is very helpful when NASD shares its potential routine examination priorities and findings—this permits firms to focus their efforts on timely issues and to better prepare for regulatory examinations. This document also offers guidance on how to avoid common compliance pitfalls.

Examination Priorities

Anti-Money Laundering (AML)

All member firms must implement an AML compliance program, identify an AML compliance person to NASD, institute written procedures to detect and report any suspicious activity through a SAR-SF, implement a written Customer Identification Program (CIP), establish an annual training program specific to AML and conduct an adequate independent test as required by NASD Rule 3011. AML continues to be an examination focus, especially with respect to suspicious activity monitoring and customer identification. View NASD's AML Issue Center Web page for more detailed guidance.

Data Integrity

The accuracy and timeliness of data provided to NASD is essential to adequately examine and conduct surveillance of member firm and associated person activities. Failure to provide accurate and timely information results in inefficient examinations, impedes investor protection and can create a greater regulatory burden for firms. In routine examinations, NASD is focusing on data integrity reviews regarding CRD filings (Forms U4, U5, BD, and BR), the 3070 reporting system, Blue Sheets and data reported pursuant to NASD Rule 3150.

Electronic Communications

Before employing electronic storage media, member firms are required to notify, in writing, their Designated Examining Authority. As of January 1, 2007, this notification is required to be made electronically pursuant to NASD Rule 3170 (see Notice to Members (NTM) 06-61). NASD examiners are focusing on this filing requirement, and will continue to review this to ensure that firms' use of electronic storage media to maintain and preserve required records meets the requirements of SEC Rule 17a-4(f).

Protection of Customer Information

With the growing use of online accounts and data storage, member firms face increasing risks of security breaches that could result in the loss of confidential customer information. Examiners conduct reviews to ensure that firms have adequate systems in place for protecting customer information and data, including periodic testing or training, as appropriate.

Suitability (Specifically for Products with a Limited Market)

Member firms must consider the suitability of any products they recommend to their customers. In recent years, there has been a proliferation of products in the market, and some of these products are not necessarily suitable for all customers, such as hedge funds, equity-indexed annuities, structured products and 529 plans. More traditional examples are private placements, REITs, high-yield and non-investment grade bonds, and CMOs. All product recommendations must take into account the customer's investment time horizon, available funds, existing investments and investment objectives, among other things. Firms should not recommend products that are not understood by their salespersons. NASD has issued a number of related NTMs, including NTM 05-26 (new products), NTM 05-50 (equity-indexed annuities), NTM 03-07 (hedge funds), NTM 03-71 (non-conventional instruments), NTM 04-30 (bonds and bond funds) and NTM 06-38 (sale of existing variable life insurance policies to third parties).

Supervision

Supervision is an essential component of all NASD examinations. The supervisory structure that firms implement is crucial to achieving overall compliance with applicable rules and regulations. Firms must establish adequate systems, policies and procedures for all areas of their business, and appropriately review and update their supervisory system. Firms should also have procedures in place for reviewing and identifying individuals or business types that require enhanced scrutiny due to sales practice concerns, such as a pattern of customer complaints. NASD focuses on Rules 3010, 3012 and 3013 during routine examinations. For additional information on the recent supervisory control provisions of these rules, view NTM 04-71, NTM 04-79, NTM 05-08, NTM 05-29, NTM 06-04 and NTM 06-11. For guidance on the establishment of adequate written supervisory procedures, heightened supervision of high-risk brokers and an adequate supervisory system, see NTM 97-19, NTM 99-45 and NTM 98-96.

Transaction Reporting

NASD continues to see rule violations related to the timeliness and accuracy of transaction reporting, especially in the fixed income area. Transaction reporting is a focus of NASD's automated surveillance and on-site examinations of member firms. Firms are reminded that they are responsible for the accuracy of the transaction information reported on their behalf, regardless of the means by which that information is reported to NASD.

Variable Insurance Products

The complexity of variable insurance products, coupled with continuing instances of sales practice violations and supervisory failures, continue to make this area an examination priority. Examiners review for the suitability of recommendations of variable insurance products, including not only the appropriateness of the recommended contract, but also the appropriateness of any additional features or benefits. View NTM 99-35 and NTM 00-44 for guidance. NASD also recently issued NTM 07-06, which addresses suitability considerations regarding recommendations made by newly associated registered representatives to replace mutual funds or variable annuities.

Short Interest Reporting

On March 6, 2007, the SEC approved a rule change to NASD Conduct Rule 3360 to require member firms to increase the frequency of short interest reporting of NASDAQ-listed and OTC equity securities from monthly to bi-weekly. The amended short interest reporting requirements become effective 180 days (September 2007) after the SEC approval date to give members adequate time to make any necessary changes to their systems to ensure compliance with the new rule requirements.

Firms will be required to report short positions as of the close of business on the settlement date of the 15th of the month for the mid-month short interest report, or, where the 15th is a non-settlement date, on the preceding settlement date. For the end-of-month report, members must report their short positions as of the close of business on the last business day of the month on which transactions settle.

NASD Conduct Rule 3360 requires members to report short interest "information to NASD in such a manner as may be prescribed by NASD." Accordingly, for each filing period, members must submit their short interest positions for NASDAQ-listed and OTC equity securities to NASD no later than 6:00 p.m., Eastern Time, on the designated due date, which is the second business day after the designated settlement date. In addition, firms that have short positions in a security listed on a registered national securities exchange that is not otherwise reported to another self-regulatory organization (SRO) (e.g., NYSE-listed securities) should submit their short positions to NASD by 1:00 p.m., Eastern Time, on the designated due date.

See NASD's 2007 Short Interest Reporting Deadlines and NASD Conduct Rule 3360 for more information.

Blue Sheets

In September 2005, NASD issued NTM 05-58, which states that all member firms and member organizations, or their Electronic Blue Sheet (EBS) data providers, must conduct a validation of all required EBS data elements to ensure that EBS transmissions are consistent with current standards and accurately reflect members' books and records. In June 2006, NASD issued NTM 06-33, which states that all member firms and member organizations that reported inconsistencies with overall EBS standards were required to remediate such inconsistencies by December 31, 2006. [It should be noted that all members and member organizations that corrected EBS inconsistencies were required to provide written confirmation by electronic mail to their designated SRO that such remediation was completed.]

Online Brokerage Account Intrusions

In recent months, customer accounts at online brokerage firms have been the target of an increasing number of intrusions and unauthorized trading. It appears that the intruders have gained access to customer accounts by using a number of illicit tactics to obtain customer user names and passwords. Once intruders gain access to a customer account, firms have reported that the customer's assets are depleted either through wire transfers of cash or purchases of securities, which the intruders have pre-positioned at third-party firms. Account intrusion schemes can impact all firms that offer online access to customers. While securities from all market classes have been targeted, the majority of the securities utilized by the perpetrators of intrusion schemes have been low-priced, thinly traded Over-the-Counter Bulletin Board and Pink Sheet securities. NASD recommends that firms that offer online customer access and trading assess their internal surveillance and develop a contingency plan to handle these situations.

Individuals perpetrating intrusion schemes could have accounts at member firms. NASD recommends that firms be diligent in this regard and consider using "red flag" criteria to identify suspicious accounts and anti-money laundering, as outlined in Special NTM 02-21, and report suspicious activity to NASD.

Since December 2006, the SEC has filed four complaints against multiple individuals and entities that appear to have perpetrated account intrusions. In one instance, the SEC took action to freeze assets held in a U.S. brokerage account by one of the alleged intruders. For additional information on these cases, see the following SEC Litigation Releases:

http://www.sec.gov/litigation/litreleases/2007/lr20037.htm
http://www.sec.gov/litigation/litreleases/2007/lr19981.htm
http://www.sec.gov/litigation/litreleases/2006/lr19949.htm
http://www.sec.gov/litigation/litreleases/2007/lr20030.htm

Regulation NMS Compliance Dates Extended

SEC Regulation NMS (Reg NMS) establishes a set of rules that are designed to modernize and strengthen U.S. equity markets. In particular, member firms that are Trading Centers (as defined in Reg NMS Rule 600) are required to comply with Rule 611 (the Order Protection Rule) and Rule 610 (the Access Rule). The Order Protection Rule, also commonly referred to as the "trade-through rule," provides intermarket protection against trade throughs for all "automated" quotations displayed on markets. The Order Protection Rule requires Trading Centers to establish, maintain and enforce policies and procedures to prevent trade-throughs of automated quotations, subject to certain exceptions. The Order Access Rule prohibits Automated Trading Centers (as defined in Rule 600) from imposing "unfairly discriminatory terms" on access to their quotations.

The compliance dates for Regulation NMS's Order Protection Rule and Access Rule are as follows:

Trade Phase Date: March 5, 2007. The revised Trading Phase now will extend from March 5, 2007 until July 9, 2007.
Pilot Stocks Phase Date: July 9, 2007. The revised Pilot Stock Phase now will extend from July 9, 2007 until August 20, 2007.
All Stocks Phase Date: August 20, 2007. The revised All Stocks Phase now will extend from August 20, 2007 until October 8, 2007.
Completion Date: October 8, 2007.

Described below are several rule changes that NASD and NASDAQ have adopted as a means of ensuring compliance with certain provisions of Reg NMS.

Intermarket Sweep Orders (ISOs), as this term is defined within Rule 600, are intended to facilitate the ability of Trading Centers to conduct order routing strategies in compliance with the Order Protection Rule. NASD has submitted a rule filing with the SEC (NASD-2007-028) that is intended to require members that transmit an ISO order in a NASDAQ security to record and report to the Order Audit Trail System (OATS) that such an order was an ISO. Furthermore, effective March 5, 2007, a special handling code of "ISO" was added to the OATS technical specifications, and member firms should use this code when in receipt of an ISO order in a NASDAQ security.
Certain exceptions and exemptions to the Order Protection Rule have been identified within Rule 611. NASD has adopted Trade Reporting Rules for each NASD Trade Reporting Facility that become effective on the Reg NMS Pilot Stocks Phase Date, which is scheduled for July 9, 2007. For additional information on these trade reporting requirements, see NTM 07-23.
NASD has issued NTM 06-67, which discusses NASD rule amendments adopted to align other NASD rules, particularly NASD ADF rules, with those in Reg NMS.
NASDAQ has adopted several rule changes to facilitate the use of ISO orders within the NASDAQ system. Among the changes is the ability to send ISO orders to NASDAQ and, via Directed Orders, to an exchange other than NASDAQ. NASDAQ rules specify that the broker-dealers that use the ISO orders are required to comply with Rules 610 and 611 of Reg NMS.

For additional information, see the SEC Spotlight on Regulation NMS.

Order Audit Trail System (OATS)

OATS Phase III, which became effective on July 10, 2006, comprises amendments that generally require that all order events for NASDAQ-listed securities, both manual and electronic, be reported to NASD. The Phase III amendments included a provision granting NASD exemptive authority for small firms meeting specified criteria. NASD exercised this authority and granted an exemption to all firms meeting the specified criteria. This exemption currently runs through January 2008. Further, approximately 600 additional firms are excluded from the OATS reporting requirements based on their order routing practices, whereby they route all order flow immediately to an OATS reporting member.

On October 10, 2006, the SEC approved amendments to the OATS Rules to expand the OATS reporting requirements to over-the-counter (OTC) equity securities. Under the amendments, members will be required to record and report order information relating to "OTC equity securities." The original effective date of the amendments was June 11, 2007. In response to members' concerns regarding the resources necessary for implementing Reg NMS, NASD filed a rule proposal for immediate effectiveness with the SEC moving the effective date to February 4, 2008. In addition, NASD anticipates filing a rule proposal in the near future to clarify the scope of foreign securities that will be subject to the OATS Rules.

See the following for additional information:

NTM 06-15: SEC Approves Expansion of NASD's Exemptive Authority under the OATS Rules; NASD Provides Additional Guidance Regarding Exemptive Relief and Encourages Exempted and Other Small Firms to Test the Enhanced OATS Web Interface
NTM 06-70: SEC Approves Amendments Expanding the OATS Requirements to OTC Equity Securities and NASD Publishes Revised OATS Reporting Technical Specifications
NASD rule filing to delay the implementation date of SR-NASD-2005-101, which expanding the OATS reporting requirements to include OTC equity securities until February 4, 2008.
NASD's OATS Web page: www.finra.org/oats

Frequently Found Violations Update

Written Supervisory Procedures (NASD Conduct Rule 3010)

Violation: Members are required to establish, maintain and enforce an adequate supervisory system. Supervisory systems are composed of many different elements—both objective, such as regular reviews of specific areas of activity, and subjective, including placing competent, qualified and experienced individuals in supervisory roles. Written supervisory procedures document the supervisory system that the member has established.

NASD examiners sometimes encounter firms with procedures that do not include a description of the controls and procedures actually used by a firm to reasonably detect and prevent misconduct, but that instead merely repeat the rule requirements or firm policies. Moreover, examiners encounter instances where it is not clear who is responsible for a particular supervisory function.

Why this is important: Without an adequate supervisory system with accountable individuals, firms cannot properly supervise the business of their firms, supervise their associated persons, or achieve compliance with applicable securities laws and rules. Having adequate written supervisory procedures allows firms to properly supervise registered representatives, and also support training registered representatives so that they are aware of firms' procedures and compliance responsibilities.

The solution: Members must have written supervisory procedures that adequately address all activities in which the firm engages and that adequately describe how the firm supervises the activity and who does it. A firm's written supervisory procedures should clearly state: (i) Who: the identification of the principal responsible for conducting the subject procedure; (ii) What: a description of the specific procedure that is to be conducted by the supervisor; (iii) When: a statement as to when or how often the specific procedure is to be conducted; and (iv) How: a statement as to how the firm will evidence the fact that the procedure has been conducted.

A number of resources are available on NASD's Web site that are designed to assist with compliance responsibilities (e.g., templates, frequently asked questions, Notices to Members, transcripts of educational compliance workshops and more).While there are a number of resources on NASD's Web site, member firms frequently cite NTM 99-45 (guidance on supervisory responsibility) as highly valuable on the topic of supervision and compliance.

Business Continuity Planning

Violation: NASD Rule 3510 requires each member firm to create and maintain a business continuity plan (BCP) and enumerates certain requirements that each plan must address. The rule further requires firms to update their BCPs upon any material change and, at a minimum, to conduct an annual review of their plans. Firms also must disclose to its customers how its BCP addresses the possibility of a significant business disruption and how the member plans to respond to events of varying scope. Rule 3520 requires members to designate two emergency contact persons and provide this information to NASD via electronic notice. It has been noted that many firms have failed to prepare an adequate BCP, failed to update the plan as necessary, or failed to designate qualified emergency contact persons. Rule 3510 has been effective since August 11, 2004 for clearing firms, and since September 10, 2004 for introducing firms. Rule 3520 has been effective since June 14, 2004.

Why this is important: Failure to have an adequate and current plan could leave a firm—and its customers—vulnerable if the firm faces an emergency or significant business disruption.

The solution: Each member firm, regardless of size or business type, must develop a BCP reasonably designed to enable it to meet its existing obligations to customers. The plan must, at a minimum, address the ten elements listed in the rule. Additionally, the plan must be updated to address any significant changes to the member's business, operations, structure and/or location. The plan must be approved by an appropriate member of senior management who is a registered principal. Members must also designate two emergency contacts who are registered as principals, and must communicate the names of the contact persons to NASD via the NASD Contact System. Further information regarding these rules, including applicable NTMs, Frequently Asked Questions and a small firm template, are available on NASD's Business Continuity Planning Web page.

Supervisory Control Rule

Violation: NASD Conduct Rule 3012 became effective on January 31, 2005, and requires members to designate and specifically identify one or more principals who shall establish, maintain and enforce a system of supervisory control policies and procedures, and where necessary, create additional or amend supervisory procedures. Specifically, all member firms are required to establish, maintain and enforce written supervisory control polices and procedures that are designed to:

(A) review and supervise on a day-to-day basis the customer account activity conducted by branch office managers, sales managers, regional or district sales managers, or any person performing a similar supervisory function, and that a person senior to or independent of the producing manager must conduct the review;

(B) review and monitor (i) all transmittals of funds (including wires or checks) or securities from member firm customers to third-party accounts or outside accounts; (ii) customer changes of address and the validation of such changes of address; and (iii) customer changes of investment objectives; and

(C) provide heightened supervision over the activities of each producing manager who is responsible for generating 20% or more of the revenue of the business units supervised by the producing manager's supervisor.

Furthermore, designated principals must submit to the member's senior management, no less than annually, a report detailing each member's system of supervisory controls, the summary of the test results and significant identified exceptions, and any additional or amended supervisory procedures created in response to the test results.

NASD examiners have frequently found that members have failed to establish adequate supervisory control procedures, failed to implement stated control procedures, failed to supervise the sales activities of producing managers, failed to submit a Rule 3012 report to the firm's senior management and, if relied upon, failed to adequately provide electronic notification to NASD within 30 days of reliance upon the "limited size and resource" exception of the rule and annually thereafter. Member firms also need to provide notice if they stop relying on "the limited size and resource" exception. A member's first Rule 3012 report should have been submitted to the member firm's senior management by April 1, 2006, and encompass the period from January 31, 2005 to the submission date. Firms must ensure that each ensuing Rule 3012 report not be for a period greater than 12 months from the date of the preceding Rule 3012 report.

Why this is important: Adequate supervisory systems play an important role in ensuring investor protection and market integrity (see Notice to Members 04-71). Failure to properly establish and enforce supervisory and supervisory control procedures could give rise to sales practice and operational abuses by registered representatives or others. Rule 3012 specifically addresses the supervision of producing managers and misappropriation of customer funds by the firm's employees. Failure to implement the requirements of Rule 3012 could leave a firm vulnerable to sales practice issues that arise when producing managers' sales activities are not adequately supervised. The rule also requires supervisory control procedures for three specific supervisory areas: (1) reviews of the transmittal of customer funds or securities, (2) changes in customer addresses and (3) changes in customer investment objectives. If supervisory procedures are not established, implemented and enforced in these three areas, the results could lead to customer harm and potentially aid in the misappropriation of customer funds.

The solution: Each member firm, regardless of size or business type, must establish, maintain and enforce a system of supervisory control policies and procedures that test and verify the firm's policies and procedures. Firms must ensure that a person senior or "otherwise independent" to producing branch managers are performing the day-to-day supervisory reviews of the producing branch managers' activities and must alternate such review responsibility with another qualified person every two years or less. In the instance where a firm is relying on the "limited size and resource" exception, firms must file notification electronically via the Rule 3012 notification system within 30 days of reliance on the exception and annually thereafter. Again, member firms need to provide notice if they stop relying on the exception.

Firms must ensure that heightened supervision procedures are established and enforced over the activities of each producing manager who is responsible for generating 20% or more of the revenue (which must be calculated on a rolling 12-month basis) of the business units supervised by the producing manager's supervisor. Firms must ensure that the procedures related to preventing and detecting misappropriation of customer funds are adequate and enforced. Finally, on an annual basis, the firm's designated principals must submit a report detailing the firm's system of supervisory controls, the summary of the test results and exceptions noted, as well as any additional or amended supervisory procedures created in response to the test results.

While there are a number of helpful resources on NASD's Web site regarding supervisory control procedures, NTMs 04-71, 05-29, and 06-04 are highly valuable references for member firms on the topic of NASD Conduct Rule 3012.

Anti-Money Laundering (AML) (NASD Rule 3011)

Violation: NASD Conduct Rule 3011 requires member firms to develop and implement a written AML program reasonably designed to achieve and monitor the firm's compliance with the requirements of the Bank Secrecy Act (31 U.S.C. 5311, et seq.) and the implementing regulations promulgated by the Department of the Treasury. Effective April 24, 2002, member firms are required to establish and enforce a supervisory system to report suspicious activities to the Department of Treasury through the filing of reports to FinCEN (or in the case of capital movements and invisible transactions (CMITs), the filing of reports to the Commissioner of Customs). Examiners have frequently found that member firms fail to establish, implement and enforce procedures for the detection, recordkeeping and reporting of suspicious activity.

Why this is important: A program to report suspicious activity is a requirement of a firm's AML program pursuant to Rule 3011, and is essential for a firm's ability to detect and deter money laundering. Failure by a firm to establish, implement, document and enforce supervisory procedures for the detection and reporting of suspicious activity could not only subject the firm to NASD action, but could also subject the firm to potentially serious civil and criminal liability.

The solution: Establish, document and maintain an effective program to detect and report suspicious activity. Regardless of the nature or size of a firm's business, all members are required to have procedures for suspicious activity reporting. At a minimum, the firm's AML program must establish and enforce procedures for suspicious activity detection and reporting that include: (a) procedures for identifying money laundering "red flags"; (b) procedures for suspicious activity reporting; (c) procedures for recordkeeping and disclosure; (d) procedures to ensure compliance with the BSA provision to file currency transaction reports; and (e) procedures to ensure compliance with the BSA provision to file currency and monetary instrument transportation reports.

For more information on AML, suspicious activity reporting and tools to assist you in complying with AML requirements, please see NASD's AML Issue Center Web page.

Electronic Communications

Before employing electronic storage media, member firms are required to notify their Designated Examining Authority. As of January 1, 2007, the notice and third-party undertaking filing requirements of SEC Rule 17a-4(f) are required to be submitted electronically in accordance with Rule 3170 (see NTM 06-61). Examiners focus on the filing of the required notification with NASD, and review to ensure that the use of electronic storage media by member firms to maintain and preserve required records meets the requirements of SEC Rule 17a-4(f).

SEC Rule 17a-4(f) requires broker-dealers that utilize "electronic storage media" to maintain and preserve records in accordance with the requirements of SEC Rules 17a-3 & 17a-4 and to comply with the rule's specifications for storage media and other rule requirements. The rule states, among other things, that electronic storage media must:

(A) Preserve the records exclusively in a non-rewriteable, non-erasable format;
(B) Verify automatically the quality and accuracy of the storage media recording process;
(C) Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and
(D) Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the broker or dealer is a member.

As noted, the rule requires that prior to storing records in this manner, broker-dealers must provide notice to the NASD as well as a third-party undertaking. If a broker-dealer intends to utilize non-optical disk technology (including CD/DVD-ROM) to maintain records, then 90-day prior notice must be provided to NASD. On May 12, 2003, the SEC issued interpretative guidance on non-optical disk technology (see SEC Release No. 34-47806).

While a firm is not required to maintain records using "electronic storage media," if records are maintained and preserved in this manner it is imperative that the firm comply with the rule requirements.

Violation: The most frequent violations found during routine examinations include failure to provide the required notice and storing records in a manner inconsistent with the rule specifications. For example, firms should not store electronic communications (i.e., email or instant messages) exclusively on a computer's hard drive or on the firm's network server. Some firms employing these storage mechanisms have lost records. Remember, if you store records using electronic storage media, the rule requires that a duplicate copy be stored separately from the original. Another common misconception is that broker-dealers are only required to maintain customer-related communications. SEC Rule 17a-4(b)(4) requires broker-dealers to maintain communications (including inter-office memoranda) relating to its business as such.

Why this is important: The creation and preservation of records forms the foundation from which the activities of broker-dealers and associated persons are supervised. Not only do firms need these records in order to supervise their business, but regulatory bodies rely on these records to perform their regulatory obligations. A broker-dealer may also be required to produce records in connection with an arbitration or court proceeding, among other things. Firms that do not comply with these requirements risk the permanent loss of records and the attendant audit trail.

The Solution: The rule provides firms the flexibility to maintain their own records electronically or in hard copy form. Firms can also elect to utilize the services of independent third-party providers. While NASD neither recommends nor endorses service providers, there are numerous service providers that offer assistance to firms with the capture of records at the network level, such as emails and instant messages, and with retention of those records. The systems of some service providers also facilitate electronic-based supervisory reviews. If your firm utilizes the services of a third party to assist with the retention of records, the notice and third-party undertaking must still be filed. See NTM 97-43 and the April 2003 NTM For Your Information for additional information. Firms should ensure that their supervisory system is tailored to its chosen method of record retention.